how do I interpret domain in this cookie:
portal-referer=http%3A%2F%2Fservice.mail.com%2Fmcstarter%2Fmail.html%3F; Domain=".hostimpl[name=www.mail.com,domain=mail.com]"; Path=/
?
Maybe I have to add this cookie to CookieContainer (C#) assigned to uri "www.mail.com" and another copy of this cookie to uri "mail.com"?
Thanks
Related
Say for example I had an application sending the following HTTP headers to set to cookie named "key1":
Set-cookie: key1=111; Domain=cc.net
Set-cookie: key1=222; Domain=bb.cc.net
Set-cookie: key1=222; Domain=aa.bb.cc.net
If I access aa.bb.cc.net on the server, so I have three cookies named "key1",but How are these three cookies arranged? Is cookie with longer domain are listed before cookie with shorter domain?
What is the specification of rfc?
A customer will link to one of our webpages on their site: customer.site/links.html
A person clicks that link and gets sent to our.site/webapp/handlerequest.aspx?someparam=somevalue
The value of someparam is set in a cookie with SameSite=Strict and then uses a 302 redirect to another page on the same domain:
Request URL: https://our.site/webapp/handlerequest.aspx?someparam=somevalue
Request Method: GET
Status Code: 302
Remote Address: ...
Referrer Policy: strict-origin-when-cross-origin
cache-control: private
content-length: ...
content-type: text/html; charset=utf-8
date: ...
location: /webapp/someotheraction
server: Microsoft-IIS/10.0
set-cookie: someparam=somevalue; expires=Thu, 17-Mar-2022 14:41:13 GMT; path=/; secure; HttpOnly; SameSite=Strict
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
The browser does NOT include this cookie on the 302 redirect to /webapp/someotheraction.
This only starting happening when we specifically change our code to set this cookie to SameSite=Strict.
This occurs in Chrome, Firefox, Edge, and IE (old IE)
Is this on purpose? Why? Since we are going from one request on the domain to another request in the same domain, shouldn't the SameSite=Strict cookies be included? Does this have anything to do with the referer policy defaulting to strict-origin-when-cross-origin? https://www.w3.org/TR/referrer-policy/ doesn't say anything about cookies
This is a cross-site request because the initial navigation was cross-site (from customer.site to our.site). Strict cookies are never sent on cross-site requests. It doesn't matter that the request gets redirected (in this case, to another URL on our.site), just the fact that the user clicked on a cross-site link means the request is cross-site.
As for why this is the case, it's because the origin responsible for initiating the navigation is important in preventing cross-site request forgery (CSRF). Imagine if https://evil.site had a link to https://bank.site/transfer-funds which redirects to https://bank.site/transact. We wouldn't want Strict cookies to be send to the /transact endpoint after the redirect, even if it was redirected to by the same site, because the initiating origin is cross-site.
I have a domain (say cookiebaker.com) that provides files using GET requests. Whenever a request is made the cookiebaker server adds a set-cookie header to the file response.
Here is an example header (Max-Age is set for 1 month in the future):
set-cookie: cookie_name=cookie_value; Max-Age=2592000; secure; HttpOnly; SameSite=Lax
Now when I call cookiebaker.com from a different domain (say munchies.com) I can see the set-cookie header in the GET response, but munchies.com does not store the cookie. I don't see the cookie in dev tools, and it is not uploaded in subsequent requests.
I am aware that I have to set the "withCredentials" flag to true when performing the GET request, but this didn't help in my case.
Here's my stripped down munchies.com code:
let request = new XMLHttpRequest();
request.open('GET', "https://cookieBaker.com?param=value");
request.withCredentials = true; // Tell the browser to receive cookies
request.send();
Is there anything else that could block the cookie from being stored in the browser? These are all my access Control headers included in the GET response (localhost is the "real" name of munchies.com for my testing):
access-control-allow-credentials: true
access-control-allow-headers: Authorization, Content-Type
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-origin: http://localhost
access-control-expose-headers: X-WP-Total, X-WP-TotalPages
You have explicitly set SameSite=Lax on the cookiebaker.com cookie, which will restrict it from being sent in a cross-site context, e.g. a fetch() originating from munchies.com.
For an explicit cross-site cookie, you should use SameSite=None;Secure. For more in-depth implementation detail, see https://web.dev/samesite-cookie-recipes
Ok, so my new problem in Elixir is that I can't set the explicit domain while creating cookies.
In this case:
HTTPoison.get("httpbin.org/cookies", [{"User-agent", #userAgent}], hackney: [
cookie: "cookie1=1 cookie2=2"] ) do
When I create a cookie it will store a domain like .httpbin.org but for dummy reason I need to set domain value like httpbin.org (without previous dot) .
I tried also with:
HTTPoison.get("httpbin.org/cookies", [{"User-agent", #userAgent}], hackney: [
cookie: "cookie1=1 domain=httpbin.org cookie2=2"] ) do
But of course the syntax expects domain as a cookie name and httpbin.org as a cookie value.
Thank you!
What's the reason you want to remove the dot in the beginning? It's optional and it should match the entire domain with/without the dot.
How do browser cookie domains work?
Also, I think the domain attribute would be for the Set-Cookie header returned from HTTP server rather than requesting from the client. The httpbin (https://httpbin.org/cookies/set) returns the Set-Cookie header, but it doesn't specify domain attribute (just Path=/). It would be taken as .httpbin.org by clients like browsers.
iex(25)> response = HTTPoison.get!("https://httpbin.org/cookies/set?k2=v2&k1=v1")
%HTTPoison.Response{body: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>Redirecting...</title>\n<h1>Redirecting...</h1>\n<p>You should be redirected automatically to target URL: /cookies. If not click the link.",
headers: [{"Server", "nginx"}, {"Date", "Fri, 18 Dec 2015 23:49:46 GMT"},
{"Content-Type", "text/html; charset=utf-8"}, {"Content-Length", "223"},
{"Connection", "keep-alive"}, {"Location", "/cookies"},
{"Set-Cookie", "k2=v2; Path=/"}, {"Set-Cookie", "k1=v1; Path=/"},
{"Access-Control-Allow-Origin", "*"},
{"Access-Control-Allow-Credentials", "true"}], status_code: 302}
iex(26)> :hackney.cookies(response.headers)
[{"k1", [{"k1", "v1"}, {"Path", "/"}]}, {"k2", [{"k2", "v2"}, {"Path", "/"}]}]
Sorry if I'm missing the point.
Test Plan:
HTTP Cookie manager
1. Open Login Page (get) - (send cookie with with JSESSIONID)
2. Log in (post) - (send cookie with with LtpaToken2, receive cookie with JSESSIONID)
3. Create new app (post)
Path contains ;jsessionid=${jsessionid} in Log in (post)
I have strange behavior. I get login page in response in post methods, thus request sent without exceptions but didn`t log in.
Also I noticed there are different JSESSIONID for every operation.
For example
step1: Request - no cookies, Sampler result - Set-Cookie: JSESSIONID=00005VALCRoQLgAgEsC_CIOVc5x:-1; Path=/
step2: Request - Cookie Data:JSESSIONID=00005VALCRoQLgAgEsC_CIOVc5x:-1, Sampler result - Set-Cookie: JSESSIONID=0000OnEiWZdVvxMa8n0Sew2_4Pl:-1; Path=/
Step3: Request - Cookie Data:JSESSIONID=0000OnEiWZdVvxMa8n0Sew2_4Pl:-1 , Sampler result - Set-Cookie: JSESSIONID=0000xbnlZFrZuYSdaY12--sdgg1:-1; Path=/
What is wrong with my script? I need to log in portal.
Thanks in advance.
Not actual anymore. HTTP Cookie Manager manage all session cookies by default (Jsession and ldap). I set following parameters:
Clear cookie each iteration =Yes
Cookie Policy = Compatible
Implementation = HC4CookieHandler